Chapter 3: Nmap's Ping Options

Understanding nmap's myriad scan types is only the beginning of harnessing its power. Nmap's additional options provide over fifty different choices of packet timings, ping options, output formats, and other customizable features! Although this considerable quantity of options seems overwhelming, it's this abundance of choices that provides nmap with incredible flexibility in nearly any networking environment.


Ping Options
Nmap always "pings" a remote station before initiating the scanning process. The default nmap ping consists of an ICMP echo request followed by a TCP ACK on port 80. If a station does not respond to either ping method, nmap will continue to the next target. If the scan does not have any additional targets, the scan will end.

Networking purists consider the term "ping" as a reference to an ICMP echo request and the corresponding ICMP echo reply. However, nmap's use of the word "ping" is more generic. In the nmap world, a ping is any request that would prompt a remote station's response. Throughout this text, a ping will refer to nmap's more relaxed definition.


The purpose of an nmap ping is to provoke any kind of response from a remote station. Once a response is received from a remote device, nmap identifies that device as active on the network and begins scanning it for detailed port information. Most of these ping options can be combined together to maximize the possibility of locating a device through firewalls or packet filters.

Nmap's pings can also be customized for the situation. For example, a firewall that blocks ICMP and ACK on port 80 might allow nmap to ping through the firewall with a TCP SYN to port 135 or a UDP query to port 22. This customization could also be used as a filter that would only identify devices that fit certain profiles, such as routers or mail servers.


Subnet Broadcasts
If an IP subnet is selected as a destination, nmap will also send ping requests to the subnet's broadcast addresses. For example, an nmap destination of 192.168.0.2/24 will prompt an nmap ping of all hosts between 192.168.0.1 and 192.168.0.254. Additionally, nmap will include 192.168.0.0 and 192.168.0.255 as destination addresses.

Many systems will respond to an "all-zeros" or "all-ones" broadcast, even though an individual IP address has not been specified. Some operating systems have been configured to ignore these types of broadcasts, but many stations will unknowingly respond to at least one of these broadcast types.